Microsoft has disclosed a pre-auth use-after-free vulnerability in the Microsoft Message Queuing (MSMQ) service running on Windows. MSMQ is a message queuing mechanism that allows different systems and processes to communicate reliably.
CVE-2024-30080 is rated critical, with a CVSS score of 9.8, and allows attackers to execute arbitrary code with the privileges of the server process. This issue was reported by k0shl with Kunlun Lab.
What is the impact?
Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the server.
Are updates or workarounds available?
Microsoft has released an update addressing this vulnerability. Users are encouraged to apply this patch immediately.
How do I find potentially vulnerable systems with runZero?
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
os:Windows AND tcp_port:1801
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Uniview has disclosed a vulnerability in their NVR301-04S2-P4 product.
CVE-2024-3850 is rated medium with CVSS score of 5.4 and allows an attacker to send a user a URL that if clicked on could execute malicious JavaScript in their browser.
What is the impact?
The affected product is vulnerable to reflected cross-site scripting attack (XSS). An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser. This vulnerability also requires authentication before it can be exploited, so the scope and severity is limited. Also, even if JavaScript is executed, no additional benefits are obtained.
Are updates or workarounds available?
Uniview encourages users to obtain the fixed version, Uniview NVR-B3801.20.17.240507, and update. You may contact your local dealer, Uniview Service Hotline, or regional technical support for assistance.
How do I find potentially vulnerable systems with runZero?
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
product:”NVR3%”
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
On May 28, 2024, Check Point disclosed a serious vulnerability in Check Point Security Gateway Devices with certain remote access software blades (security modules) enabled. Per their guidance, devices are impacted if one of the following conditions are met:
The IPsec VPN Blade is enabled, but ONLY when included in the Remote Access VPN community.
The Mobile Access Software Blade is enabled.
The issue, identified as CVE-2024-24919, allows reading arbitrary files on the targeted appliance by unauthenticated remote attackers. This vulnerability could be leveraged to read sensitive files such as those containing password hashes, certificates, and ssh keys.
This vulnerability has a CVSS score of 8.6 out of 10, indicating that this is a high risk vulnerability. According to their disclosure and information provided by CISA this vulnerability is being actively exploited. A report from mnemonic.io states that they have observed attacks at least as far back as April 30, 2024.
What is the impact?
Upon successful exploitation of the vulnerability, unauthenticated remote attackers could access password hashes for local users. If the hashes are cracked the attacker may be able to log into these user accounts if secondary controls, such as MFA, are not enforced. This includes service accounts that may be used to access Active Directory or other services. Attackers could leverage this information to move across a target’s network.
Are updates or workarounds available?
Check Point has released a software updates to address this vulnerability. They also provide guidance for other measures that should be taken after the vulnerability has been addressed. These can be found in their advisory.
How do I find potentially vulnerable Check Point devices with runZero?
From the Asset Inventory, use the following query to locate assets that may be running the vulnerable operating system in your network:
hardware:"Check Point" AND (_service.last.http.body:"Check Point Mobile" OR _service.http.body:"Check Point Mobile" OR udp_port:500)
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
As exploitation reaches light speed, rapid, comprehensive discovery and Cyber Asset Attack Surface Management (CAASM) are more critical than ever
SAN FRANCISCO, CA — May 7, 2024 — At the RSA Conference today, runZero announced the inaugural edition of the runZero Research Report, the first in a series of publications that explore the state of asset security across global enterprises. As a leading provider of Cyber Asset Attack Surface Management (CAASM), this report leverages runZero’s unique perspective across hundreds of enterprise networks, including internal infrastructure, internet-facing assets, and cloud environments.
“Our research reveals alarming gaps and unexpected trends in enterprise infrastructure, including the decay of network segmentation, persistent challenges in attack surface management, and the increasing volume of dark matter on modern networks,” said HD Moore, founder and CEO. “runZero was built on the principle that applied research makes for better asset discovery, and that better asset discovery is the foundation of the modern exposure management organizations need to successfully defend against these challenges.”
IT and OT are converging, increasing the attack surface of organizations and requiring new techniques to discover and manage assets. OT systems are high-value targets for attackers and are consistently exposed to untrusted networks. Over 7% of the ICS assets sampled are exposed to the public internet. These assets include programmable logic controllers, power meters, and protocol gateways, all of which play an important role in critical infrastructure.
Outlier devices are often the most at-risk. The runZero outlier score, defined as how unique an asset is within the context of its neighbors, strongly correlates with the risk ranking reported by leading vulnerability scanners. This correlation works both ways, with low outlier scores consistently mapping to lower overall risk. Defenders can leverage outlier analysis to quickly identify the most vulnerable systems within their environments.
Security teams often have limited to no visibility into more than half of the physical devices on their networks. Network “dark matter”— devices that are often unmanaged by IT and rarely updated — comprises 19% of enterprise networks, while a further 45% of these devices offer limited management capabilities.
End-of-life hardware and operating systems continue to drag down security postures. Although Windows 2012 R2 and Ubuntu 14.04 are the most common EoL operating systems observed, obsolete versions of VMware ESXi and out-of-support network devices are serious concerns.
Printers and network-attached storage devices often allow traffic forwarding between networks, breaking network segmentation controls. runZero identified unexpected IP-forwarding behavior across dozens of device types, ranging from smart TVs to robotic vacuum cleaners.
Zero-day attacks at the network edge have surged and suppliers are struggling to provide timely patches. In the first four months of 2024, runZero published 23 Rapid Responses covering 60+ distinct vulnerabilities.
92% of systems running the Secure Shell (SSH) service allow password-based authentication, exposing these systems to brute force and credential stuffing attacks. In addition to insecure authentication methods, thousands of systems rely on hardcoded cryptographic keys that are shared between unrelated environments, negating many of the security benefits of the protocol.
Nearly 16% of all Transport Layer Security (TLS) implementations rely on an end-of-life version of OpenSSL, placing these systems at risk of future compromise. This finding was uncovered through runZero’s unique fingerprinting method that reliably identifies services by behavior, not configuration, to determine versioning.
Remote Desktop Protocol (RDP) security has improved on Windows with the introduction of Network Layer Authentication (NLA) support, but this has not carried over to Linux-based RDP implementations like xrdp, and many Windows systems have kept older, more vulnerable configurations.
Server Message Block (SMB) v1 is still enabled on 13% of Windows systems. Although SMBv1 is disabled by default on newer versions of Windows, there are still millions of legacy systems using this outdated protocol.
runZero’s research is focused on identifying at-risk devices through precise fingerprinting and fast outlier analysis. This report also describes runZero’s research process, the fingerprinting techniques created, and the practical results of these efforts.
Check out additional research from the runZero team
Register for the live report launch event at RSA on May 8th
Register for the virtual launch, a special edition of runZero Hour, on May 15th
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Network segmentation, in its simplest form, is the act or practice of dividing a computer network into smaller parts, subnetworks, or network segments. In recent years,it has evolved into a foundational enterprise control to improve network performance and security. However, without effective verification strategies like Cyber Asset Attack Surface Management (CAASM), network segmentation can be easily undermined by misconfigurations and multi-homed machines.
Let’s explore a practical comparison to network segmentation – a house with an open floor plan. This design ensures ease of movement and makes the space feel larger, but presents a challenge for achieving privacy and security. You likely don’t want everyone that enters your home to have unfettered access to all areas. Adding walls and changing the architecture of a home is much harder after it’s been built; however, doors and locks can help add security controls while maintaining the original functionality. For example, if a contractor is scheduled to work on the garage, doors and locks add a level of segmentation that ensures access is only granted for the area where the work needs to be done. Lateral movement into the house is unlikely and garage repair alone does not merit access to other areas. Essentially, network segmentation is akin to a house with defined areas of access to make safe and secure spaces when needed.
Limit the damage done by cyber attacks: Segmentation improves cybersecurity postures by limiting how far an attack can spread by reducing lateral movement. For example, segmentation keeps a malware outbreak in one segment from spreading to systems in another.
Protect vulnerable devices: Segmentation can prevent harmful traffic from reaching devices that are unable to protect themselves. For example, on a factory floor that contains OT/ICS devices that were not designed with advanced security defenses, segmentation can stop harmful Internet traffic from reaching them.
Containing network problems: Segmentation minimizes the impact of local failures on other parts of the network. When localized problems arise, network segmentation helps to minimize production downtime and decrease corporate latency due to misconfigurations.
Controlling access: Access can be controlled by creating VLANs to segregate the network. For example, visitors can access a “guest network”, so they can access the Internet, but not the corporate network itself. Another example is separating networks during a corporate divestiture, so that employees only have access to the corporate network of their company and not the other.
Meet industry compliance standards Regulations are a driving factor in network segmentation. For example, businesses subject to Payment Card Industry Data Security Standard (PCI DSS) requirements must validate cardholder data environment (CDE) segmentation during the security audit process. The PCI guidance on scoping and segmentation describes a common CDE administration model.
How do you verify network segmentation is implemented correctly?
Verifying that segmentation is working correctly can be challenging, especially across large and complex environments. Common techniques to validate segmentation, such as reviewing firewall rules and spot testing from individual systems can only go so far, and comprehensive testing, such as running full network scans from every segment to every segment, can be time intensive and are rarely performed on a regular basis.
Verifying safe network segmentation with CAASM
Network bridge detection
Network bridge detection is a useful tool when validating the effectiveness of network segmentation and testing whether an attacker can reach a sensitive network from an untrusted network or asset. Examples of this include laptops plugged into the internal corporate network that are also connected to a guest wireless segment, or systems connected to an untrusted network, such as a coffee shop’s wireless network that also have an active VPN connection to the corporate network.
The runZero Platform detects network bridges by looking for extra IP addresses in responses to common network probes (NetBIOS, SNMP, MDNS, UPnP, and others) and only reports bridges when there is at least one asset identified with multiple IP addresses. Typical hardening steps, such as desktop firewalls and disabled network services are limiting factors that will usually prevent multi-homed assets from being detected by runZero; however, the click-through demo below shows how to use network bridge detection to search for multi-homed assets in the runZero inventory.
Identifying Potentially Risky Network Bridges
This runZero network bridge report is an interactive view of possible paths that can be taken through the network by traversing multi-homed assets. When detected, single IP addresses are omitted to keep the graph practical and actionable for defenders.
runZero enables you to click through asset and subnet details within the external (red) and internal (green) networks. Clicking a bridged node once will highlight the networks it is connected to and show a link which leads to the full asset details for that node. Alternatively, clicking a network once will highlight the connections to bridged nodes and show a link to the Asset Inventory page with a CIDR-based inventory search.
This report helps you see where segmentation may be broken, and can cut down on the number of surprises encountered in a future security audit.
The Asset Route Pathing Report
The runZero Platform also enables you to visualize potential network paths between any two assets in an organization by creating the asset route pathing report. This unique methodology identifies surprising and unexpected paths between assets that may not be accounted for by existing security controls or reviews.
The report generates a graph of multiple potential paths by analyzing IPv4 and IPv6 traceroute data in combination with subnet analysis of detected multi-homed assets – without requiring access to the hosts or network equipment.
With a view of potential paths between assets, security professionals can verify whether a low-trust asset, such as a machine on a wireless guest network, can reach a high-value target, such as a database server within a cardholder data environment (CDE). Another example would be an OT asset (such as an engineering workstation) being able to access the IT network. This feature highlights potential network segmentation violations and opportunities for an attacker to move laterally from one segment to another.
Summary
In summary, there are many benefits of network segmentation, and fact checking proper implementation can be a difficult, arduous task. runZero is here to help by reducing the burden of misconfigurations and/or improperly defined network boundaries, subnets and VLANS.
Not a runZero customer? Download a free trial today and achieve comprehensive asset inventory and attack surface visibility in minutes.
If you would like to read more about network segmentation and what runZero has found in the wild, check out Chapter 4 of the runZero Research Report that talks about the decay of segmentation.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
